b'TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION\n\n\n\n\n                    Treasury Inspector General for Tax\n                Administration \xe2\x80\x93 Federal Information Security\n                Management Act Report for Fiscal Year 2013\n\n\n\n                                      September 27, 2013\n\n                              Reference Number: 2013-20-128\n\n\n\n\n This report has cleared the Treasury Inspector General for Tax Administration disclosure review process\n  and information determined to be restricted from public release has been redacted from this document.\n\n\n\n Phone Number / 202-622-6500\n E-mail Address / TIGTACommunications@tigta.treas.gov\n Website        / http://www.treasury.gov/tigta\n\x0c                                                   HIGHLIGHTS\n\n\nTREASURY INSPECTOR GENERAL FOR                            \xef\x82\xb7   Continuous Monitoring Management.\nTAX ADMINISTRATION \xe2\x80\x93 FEDERAL                              \xef\x82\xb7   Risk Management.\nINFORMATION SECURITY\nMANAGEMENT ACT REPORT FOR                                 \xef\x82\xb7   Plan of Action and Milestones.\nFISCAL YEAR 2013                                          \xef\x82\xb7   Contingency Planning.\n                                                          \xef\x82\xb7   Contractor Systems.\nHighlights                                                \xef\x82\xb7   Security Capital Planning.\n                                                      Three of the nine security program areas, while\nIssued on September 27, 2013\n                                                      generally compliant, were not fully effective due\n                                                      to one program attribute that was missing or not\nHighlights of Reference Number: 2013-20-128\n                                                      working as intended:\nto the Department of the Treasury, Office of the\nInspector General, Assistant Inspector General            \xef\x82\xb7   Incident Response and Reporting.\nfor Audit.\n                                                          \xef\x82\xb7   Security Training.\nIMPACT ON TAXPAYERS                                       \xef\x82\xb7   Remote Access Management.\nThe IRS collects and maintains a significant          However, two of the 11 security program areas\namount of personal and financial information on       were not compliant with FISMA requirements\neach taxpayer. The Federal Information                and did not meet the level of performance\nSecurity Management Act (FISMA) was enacted           specified by the DHS\xe2\x80\x99s FY 2013 Inspector\nto strengthen the security of information and         General Federal Information Security\nsystems within Federal Government agencies.           Management Act Reporting Metrics due to the\nUntil the IRS takes steps to fully implement all      majority of the DHS-specified attributes being\n11 security program areas covered by FISMA,           missing or not working as intended:\ntaxpayer data will remain vulnerable to\ninappropriate use, modification, or disclosure,           \xef\x82\xb7   Configuration Management.\npossibly without being detected.\n                                                          \xef\x82\xb7   Identity and Access Management.\nWHY TIGTA DID THE AUDIT\n                                                      WHAT TIGTA RECOMMENDED\nAs part of the FISMA legislation, the Offices of\n                                                      TIGTA does not include recommendations as\nInspectors General are required to perform an\n                                                      part of its annual FISMA evaluation and reports\nannual independent evaluation of each Federal\n                                                      only on the level of performance achieved by the\nagency\xe2\x80\x99s information security programs and\n                                                      IRS using the guidelines issued by the DHS for\npractices. This report presents the results of\n                                                      the applicable FISMA evaluation period.\nTIGTA\xe2\x80\x99s FISMA evaluation of the IRS\xe2\x80\x99s\ninformation security program for Fiscal\nYear (FY) 2013.\nWHAT TIGTA FOUND\nBased on our FY 2013 FISMA evaluation,\nTIGTA found that nine of 11 security program\nareas were generally compliant with the FISMA\nrequirements. Six of the nine security program\nareas included all of the program attributes\nspecified by the Department of Homeland\nSecurity\xe2\x80\x99s (DHS) FY 2013 Inspector General\nFederal Information Security Management Act\nReporting Metrics:\n\x0c                                                   DEPARTMENT OF THE TREASURY\n                                                          WASHINGTON, D.C. 20220\n\n\n\n\nTREASURY INSPECTOR GENERAL\n  FOR TAX ADMINISTRATION\n\n\n\n\n                                                 September 27, 2013\n\n\n MEMORANDUM FOR ASSISTANT INSPECTOR GENERAL FOR AUDIT\n                OFFICE OF THE INSPECTOR GENERAL\n                DEPARTMENT OF THE TREASURY\n\n\n FROM:                           Michael E. McKenney\n                                 Acting Deputy Inspector General for Audit\n\n SUBJECT:                        Final Audit Report \xe2\x80\x93 Treasury Inspector General for Tax\n                                 Administration \xe2\x80\x93 Federal Information Security Management Act Report\n                                 for Fiscal Year 2013 (Audit # 201320001)\n\n This report presents the results of the Treasury Inspector General for Tax Administration\xe2\x80\x99s\n Federal Information Security Management Act1 evaluation of the Internal Revenue Service for\n Fiscal Year 2013. The Act requires the agency\xe2\x80\x99s Inspector General to perform an annual\n independent evaluation of the agency\xe2\x80\x99s information security program and practices to determine\n the effectiveness of such program and practices.\n The report was forwarded to the Treasury Inspector General for consolidation into a report issued\n to the Department of the Treasury Chief Information Officer. Copies of this report are also being\n sent to the IRS managers affected by the report results.\n If you have any questions, please contact me or Alan R. Duncan, Assistant Inspector General for\n Audit (Security and Information Technology Services).\n\n\n\n\n 1\n     Title III of the E-Government Act of 2002, Pub. L. No. 107-374, 116 Stat. 2899.\n\x0c                      Treasury Inspector General for Tax Administration \xe2\x80\x93 Federal\n                   Information Security Management Act Report for Fiscal Year 2013\n\n\n\n\n                                            Table of Contents\n\nBackground .......................................................................................................... Page 1\n\nResults of Review ............................................................................................... Page 3\n          The Internal Revenue Service\xe2\x80\x99s Information Security Program\n          Generally Complies With the Federal Information Security\n          Management Act, but Improvements Are Needed ....................................... Page 3\n\nAppendices\n          Appendix I \xe2\x80\x93 Detailed Objective, Scope, and Methodology ........................ Page 18\n          Appendix II \xe2\x80\x93 Major Contributors to This Report ........................................ Page 20\n          Appendix III \xe2\x80\x93 Report Distribution List ....................................................... Page 21\n          Appendix IV \xe2\x80\x93 Treasury Inspector General for Tax Administration\n          Information Technology Security-Related Reports Issued During the\n          Fiscal Year 2013 Evaluation Period ............................................................. Page 22\n\x0c             Treasury Inspector General for Tax Administration \xe2\x80\x93 Federal\n          Information Security Management Act Report for Fiscal Year 2013\n\n\n\n\n                            Abbreviations\n\nCIO                  Chief Information Officer\nCM                   Continuous Monitoring\nDHS                  Department of Homeland Security\nFCD1                 Federal Continuity Directive 1\nFIPS                 Federal Information Processing Standards\nFISMA                Federal Information Security Management Act\nFY                   Fiscal Year\nGAO                  Government Accountability Office\nHSPD-12              Homeland Security Presidential Directive-12\nIP                   Internet Protocol\nIRS                  Internal Revenue Service\nIT                   Information Technology\nNIST                 National Institute of Standards and Technology\nOIG                  Office of the Inspector General\nOMB                  Office of Management and Budget\nPIV                  Personal Identity Verification\nPOA&M                Plan of Action and Milestones\nSCAP                 Security Content Automation Protocol\nSP                   Special Publication\nTIGTA                Treasury Inspector General for Tax Administration\nUS-CERT              United States Computer Emergency Response Team\nUSGCB                United States Government Configuration Baseline\n\x0c                   Treasury Inspector General for Tax Administration \xe2\x80\x93 Federal\n                Information Security Management Act Report for Fiscal Year 2013\n\n\n\n\n                                           Background\n\nThe Internal Revenue Service (IRS) collects and maintains a significant amount of personal and\nfinancial information on each taxpayer. As custodians of taxpayer information, the IRS has an\nobligation to protect the confidentiality of this sensitive information against unauthorized access\nor loss. Otherwise, taxpayers could be exposed to invasion of privacy and financial loss or\ndamage from identity theft or other financial crimes.\nThe Federal Information Security Management Act (FISMA) of 20021 was enacted to strengthen\nthe security of information and systems within Federal agencies. Under the FISMA, agency\nheads are responsible for providing information security protections commensurate with the risk\nand magnitude of harm resulting from the unauthorized access, use, disclosure, disruption,\nmodification, or destruction of information and information systems. Agency heads are also\nresponsible for complying with the requirements of the FISMA, related Office of Management\nand Budget (OMB) policies, and National Institute of Standards and Technology (NIST)\nprocedures, standards, and guidelines.\nOne of the provisions of the FISMA requires the agencies to have an annual independent\nevaluation of their information security programs and practices performed by the agency\nInspector General or an independent external auditor as determined by the Inspector General.2\nThe OMB uses the information from the agencies and independent evaluations in its FISMA\noversight capacity to assess agency-specific and Federal Governmentwide security performance,\ndevelop its annual security report to Congress, and assist in improving and maintaining adequate\nagency security performance.\nIn July 2010, the OMB delegated its responsibility to the Department of Homeland Security\n(DHS) for the collection of annual FISMA responses.3 The DHS issued the FY 2013 Inspector\nGeneral Federal Information Security Management Act Reporting Metrics on\nNovember 30, 2012, for Fiscal Year4 (FY) 2013 FISMA responses. These reporting metrics\nspecified the security program areas for the Inspectors General to evaluate and listed specific\nattributes that each security program area should include. Detailed information on our audit\n\n\n1\n  Title III of the E-Government Act of 2002, Pub. L. No. 107-374, 116 Stat. 2899.\n2\n  The FISMA evaluation period for the Department of the Treasury is July 1, 2012, through June 30, 2013.\n3\n  In OMB Memorandum M-10-28, Clarifying Cybersecurity Responsibilities and Activities of the Executive Office of\nthe President and the Department of Homeland Security, OMB delegated the responsibility for various operational\naspects of Federal cyber security to the DHS, including overseeing the agencies\xe2\x80\x99 compliance with the FISMA and\ndeveloping analyses for the OMB to assist in the development of the FISMA annual report.\n4\n  A 12-consecutive-month period ending on the last day of any month. The Federal Government\xe2\x80\x99s fiscal year begins\non October 1 and ends on September 30.\n                                                                                                        Page 1\n\x0c                 Treasury Inspector General for Tax Administration \xe2\x80\x93 Federal\n              Information Security Management Act Report for Fiscal Year 2013\n\n\n\nobjective, scope, and methodology is presented in Appendix I. Major contributors to this report\nare listed in Appendix II.\n\n\n\n\n                                                                                         Page 2\n\x0c                       Treasury Inspector General for Tax Administration \xe2\x80\x93 Federal\n                    Information Security Management Act Report for Fiscal Year 2013\n\n\n\n\n                                         Results of Review\n\nThe Internal Revenue Service\xe2\x80\x99s Information Security Program\nGenerally Complies With the Federal Information Security\nManagement Act, but Improvements Are Needed\nThe DHS FY 2013 Inspector General Federal Information Security Management Act Reporting\nMetrics that were issued on November 30, 2012, specified 11 information security program areas\nand a total of 98 attributes within the 11 areas for the Inspectors General to evaluate and\ndetermine compliance with FISMA requirements. The 11 information security program areas\nare as follows:\n       \xef\x82\xb7   Continuous Monitoring Management.\n       \xef\x82\xb7   Configuration Management.\n       \xef\x82\xb7   Identity and Access Management.\n       \xef\x82\xb7   Incident Response and Reporting.\n       \xef\x82\xb7   Risk Management.\n       \xef\x82\xb7   Security Training.\n       \xef\x82\xb7   Plan of Action and Milestones (POA&M).\n       \xef\x82\xb7   Remote Access Management.\n       \xef\x82\xb7   Contingency Planning.\n       \xef\x82\xb7   Contractor Systems.\n       \xef\x82\xb7   Security Capital Planning.\nTo complete our FISMA evaluation, we reviewed a representative judgmental sample5 of\n10 major IRS information systems. For each system in the sample, we assessed the risk\nmanagement process, the annual testing of controls for continuous monitoring, the testing of\ninformation technology contingency plans, and the plan of action and milestones process. In\naddition, we evaluated the IRS\xe2\x80\x99s enterprise-level processes over configuration management,\nidentity and access management, incident response and reporting, security training, remote\naccess management, contractor systems, and security capital planning. During the FY 2013\nFISMA evaluation period, we also completed seven audits, as shown in Appendix IV, which\nevaluated various aspects of information security at the IRS. We considered the results of these\n\n5\n    A judgmental sample is a nonstatistical sample, the results of which cannot be used to project to the population.\n                                                                                                                Page 3\n\x0c                    Treasury Inspector General for Tax Administration \xe2\x80\x93 Federal\n                 Information Security Management Act Report for Fiscal Year 2013\n\n\n\naudits in our evaluation, as well as results from ongoing audits for which draft reports were\nissued to the IRS by August 8, 2013.\nBased on our FY 2013 FISMA evaluation, we determined that nine of the 11 security program\nareas were generally compliant with the FISMA requirements. The following six security\nprogram areas included all of the program attributes specified by the DHS\xe2\x80\x99s FY 2013 Inspector\nGeneral Federal Information Security Management Act Reporting Metrics:\n    \xef\x82\xb7   Continuous Monitoring Management.\n    \xef\x82\xb7   Risk Management.\n    \xef\x82\xb7   Plan of Action and Milestones.\n    \xef\x82\xb7   Contingency Planning.\n    \xef\x82\xb7   Contractor Systems.\n    \xef\x82\xb7   Security Capital Planning.\nThe following three security program areas, while generally compliant, were not fully effective\ndue to one program attribute that was missing or not working as intended:\n    \xef\x82\xb7   Incident Response and Reporting.\n    \xef\x82\xb7   Security Training.\n    \xef\x82\xb7   Remote Access Management.\nHowever, two security program areas were not compliant with FISMA requirements and did not\nmeet the level of performance specified by the DHS\xe2\x80\x99s FY 2013 Inspector General Federal\nInformation Security Management Act Reporting Metrics due to the majority of the\nDHS-specified attributes being missing or not working as intended:\n    \xef\x82\xb7   Configuration Management.\n    \xef\x82\xb7   Identity and Access Management\nUntil the IRS takes steps to improve its security program deficiencies and fully implement all\n11 security program areas required by FISMA, taxpayer data will remain vulnerable to\ninappropriate use, modification, or disclosure, possibly without being detected.\nThe following matrix6 presents TIGTA\xe2\x80\x99s results for the 11 security program areas as specified by\nthe DHS\xe2\x80\x99s FY 2013 Inspector General Federal Information Security Management Act Reporting\nMetrics. We have provided comments to support the \xe2\x80\x9cno\xe2\x80\x9d responses. TIGTA\xe2\x80\x99s results will be\n\n\n\n6\n Many abbreviations in this matrix are used as presented in the original document and are not defined therein.\nHowever, we have provided the definitions in the Abbreviations page after the Table of Contents of this report.\n\n                                                                                                            Page 4\n\x0c                 Treasury Inspector General for Tax Administration \xe2\x80\x93 Federal\n              Information Security Management Act Report for Fiscal Year 2013\n\n\n\nconsolidated with the Department of the Treasury Office of Inspector General\xe2\x80\x99s results of\nnon-IRS bureaus and reported to the OMB.\n\n\n\n\n                                                                                            Page 5\n\x0c                    Treasury Inspector General for Tax Administration \xe2\x80\x93 Federal\n                 Information Security Management Act Report for Fiscal Year 2013\n\n\n\n1: Continuous Monitoring\nStatus of Continuous            1.1. Has the organization established an enterprisewide continuous monitoring\nMonitoring Program                   program that assesses the security state of information systems that is\n[check one: Yes or No]    Yes        consistent with FISMA requirements, OMB policy, and applicable NIST\n                                     guidelines? Besides the improvement opportunities that may have been\n                                     identified by the OIG, does the program include the following attributes?\xc2\xa0\n                                    1.1.1. Documented policies and procedures for continuous monitoring\n                          Yes\n                                    (NIST SP 800-53: CA-7).\n                                    1.1.2. Documented strategy and plans for continuous monitoring\n                          Yes\n                                    (NIST SP 800-37 Rev 1, Appendix G).\n                                    1.1.3. Ongoing assessments of security controls (system-specific, hybrid, and\n                          Yes       common) that have been performed based on the approved continuous\n                                    monitoring plans (NIST SP 800-53, NIST 800-53A).\n                                    1.1.4. Provides authorizing officials and other key system officials with\n                                    security status reports covering updates to security plans and security\n                          Yes       assessment reports, as well as a common and consistent POA&M program\n                                    that is updated with the frequency defined in the strategy and/or plans\n                                    (NIST SP 800-53, 800-53A).\n                                1.2. Please provide any additional information on the effectiveness of the\n                                organization\xe2\x80\x99s Continuous Monitoring Management Program that was not noted in\n                                the questions above.\n                                TIGTA Comments: The IRS\xe2\x80\x99s annual assessments of system security controls are\n                                predominantly manual. The IRS\xe2\x80\x99s strategy for automating continuous monitoring\n                                includes the implementation of a tool called Archer, which will be a central\n                                repository and analysis engine for assessment results, such as automated\n                                vulnerability scans. Archer is in its initial development phases.\n\n\n2: Configuration Management\nStatus of Configuration         2.1 Has the organization established a security configuration management\nManagement Program                  program that is consistent with FISMA requirements, OMB policy, and\n[check one: Yes or No]    No        applicable NIST guidelines? Besides the improvement opportunities that may\n                                    have been identified by the OIG, does the program include the following\n                                    attributes?\xc2\xa0\n                          Yes       2.1.1. Documented policies and procedures for configuration management.\n                          Yes       2.1.2. Defined standard baseline configurations.\n\n\n\n\n                                                                                                           Page 6\n\x0c   Treasury Inspector General for Tax Administration \xe2\x80\x93 Federal\nInformation Security Management Act Report for Fiscal Year 2013\n\n\n\n\n             2.1.3. Assessments of compliance with baseline configurations.\n             TIGTA Comments: The IRS has not deployed automated mechanisms to\n             centrally manage, apply, and verify baseline configuration settings and\n             produce FISMA compliance reports using the NIST-defined Security Content\n      No     Automation Protocol (SCAP) format. During FY 2013, the IRS was in the\n             process of implementing the Security Compliance Posture Monitoring and\n             Reporting application, which is intended to provide the ability to assess\n             compliance with baseline security controls in a SCAP-compliant format on an\n             enterprisewide level; however, its implementation has been delayed.\n             2.1.4. Process for timely (as specified in organization policy or standards)\n             remediation of scan result deviations.\n\n      No     TIGTA Comments: The IRS has not yet fully implemented vulnerability\n             scanning tools and processes on all systems to ensure timely remediation of\n             scan result deviations. Also, the IRS processes to share vulnerability\n             information to system owners and administrators are still under development.\n             2.1.5. For Windows-based components, USGCB secure configuration settings\n      Yes    are fully implemented, and any deviations from USGCB baseline settings are\n             fully documented.\n             2.1.6. Documented proposed or actual changes to the hardware and software\n             configurations.\n             TIGTA Comments: The IRS has not yet fully implemented configuration and\n      No     change management controls to ensure that proposed or actual changes to\n             hardware and software configurations are documented and controlled. During\n             FY 2013, the Enterprise Services organization was in the process of\n             implementing the Enterprise Configuration Management System to provide\n             an enterprise solution for configuration and change management.\n             2.1.7. Process for the timely and secure installation of software patches.\n             TIGTA Comments: The IRS has not yet fully implemented a process to\n             ensure timely and secure installation of software patches. During FY 2013,\n             the IRS was in the process of evaluating tools that have the capability to\n      No     perform automated patch management activities across a multitude of\n             technologies and feed results to a centralized location. During the FY 2013\n             FISMA evaluation period, TIGTA and the Government Accountability Office\n             (GAO) identified critical patches that were missing or installed in an untimely\n             manner on IRS computers.\n             2.1.8. Software assessing (scanning) capabilities are fully implemented.\n             (NIST SP 800-53: RA-5, SI-2)\n      No\n             TIGTA Comments: Monthly vulnerability scans are not being performed on\n             all systems.\n\n\n\n                                                                                     Page 7\n\x0c                    Treasury Inspector General for Tax Administration \xe2\x80\x93 Federal\n                 Information Security Management Act Report for Fiscal Year 2013\n\n\n\n                                   2.1.9. Configuration-related vulnerabilities, including scan findings, have\n                                   been remediated in a timely manner, as specified in organization policy or\n                                   standards. (NIST SP 800-53: CM-4, CM-6, RA-5, SI-2)\n                                   TIGTA Comments: The IRS has not yet fully implemented vulnerability\n                         No        scanning tools and processes on all systems to ensure timely remediation of\n                                   scan result deviations. Also, IRS processes to share vulnerability information\n                                   with system owners and administrators are still under development. During\n                                   the FY 2013 FISMA evaluation period, TIGTA and the GAO identified\n                                   servers that were not consistently configured to have strong controls.\n                                   2.1.10. Patch management process is fully developed, as specified in\n                                   organization policy or standards. (NIST SP 800-53: CM-3, SI-2)\n                                   TIGTA Comments: The IRS has not yet implemented a process to ensure\n                                   timely and secure installation of software patches. During FY 2013, the IRS\n                         No        was in the process of evaluating tools that have the capability to perform\n                                   automated patch management activities across a multitude of technologies\n                                   and feed results to a centralized location. During FY 2013, TIGTA and the\n                                   GAO identified critical patches that were missing or installed in an untimely\n                                   manner on IRS computers.\n                               2.2. Please provide any additional information on the effectiveness of the\n                               organization\xe2\x80\x99s Configuration Management Program that was not noted in the\n                               questions above.\n\n\n3: Identity and Access Management\nStatus of Identity and         3.1 Has the organization established an identity and access management program\nAccess Management                  that is consistent with FISMA requirements, OMB policy, and applicable\nProgram [check one:      No        NIST guidelines and identifies users and network devices? Besides the\nYes or No]                         improvement opportunities that may have been identified by the OIG, does\n                                   the program include the following attributes?\xc2\xa0\n                                   3.1.1. Documented policies and procedures for account and identity\n                         Yes\n                                   management. (NIST SP 800-53: AC-1)\n                                   3.1.2. Identifies all users, including Federal employees, contractors, and\n                                   others who access organization systems. (NIST SP 800-53: AC-2)\n\n                         No        TIGTA Comments: The IRS has not fully implemented unique user\n                                   identification that complies with Homeland Security Presidential Directive-12\n                                   (HSPD-12). In addition, five of our 10 sampled systems did not have the\n                                   NIST SP 800-53 AC-2 security control in place.\n\n                                   3.1.3. Identifies when special access requirements (e.g., multifactor\n                                   authentication) are necessary.\n                         No\n                                   TIGTA Comments: The IRS did not fully implement multifactor\n                                   authentication in compliance with HSPD-12.\n\n\n\n                                                                                                           Page 8\n\x0c   Treasury Inspector General for Tax Administration \xe2\x80\x93 Federal\nInformation Security Management Act Report for Fiscal Year 2013\n\n\n\n             3.1.4. If multifactor authentication is in use, it is linked to the organization\xe2\x80\x99s\n             PIV program where appropriate. (NIST SP 800-53: IA-2)\n\n      No     TIGTA Comments: The IRS has not fully deployed multifactor\n             authentication via the use of an HSPD-12 PIV card for all users for network\n             and local access to nonprivileged or privileged accounts as required by\n             HSPD-12.\n             3.1.5. Organization has planned for implementation of PIV for logical access\n             in accordance with government policies. (HSPD-12, FIPS 201, OMB M-05-\n             24, OMB M-07-06, OMB M-08-01, OMB M-11-11)\n      No     TIGTA Comments: Although the IRS is working to achieve its goal of\n             85 percent mandatory PIV use by the end of Calendar Year 2013,\n             considerable challenges still exist for achieving full compliance due to its\n             legacy environment.\n             3.1.6. Organization has adequately planned for implementation of PIV for\n      Yes    physical access in accordance with government policies. (HSPD-12,\n             FIPS 201, OMB M-05-24, OMB M-07-06, OMB M-08-01, OMB M-11-11)\n             3.1.7. Ensures that the users are granted access based on needs and\n             separation-of-duties principles.\n      No     TIGTA Comments: During FY 2013, TIGTA and the GAO identified users\n             that had been granted more access than needed and instances where the\n             separation-of-duties principle was not enforced.\n             3.1.8. Identifies devices with IP addresses that are attached to the network and\n             distinguishes these devices from users. (IP phones, faxes, and printers are\n             examples of devices attached to the network that are distinguishable from\n      No     desktops, laptops, or servers that have user accounts.)\n             TIGTA Comments: During FY 2013, the IRS was still in the process of\n             implementing tools to achieve automated asset discovery and asset\n             management.\n             3.1.9. Identifies all user and non-user accounts. (Refers to user accounts that\n             are on a system. Data user accounts are created to pull generic information\n      Yes\n             from a database or a guest/anonymous account for generic login purposes.\n             They are not associated with a single user or a specific group of users.)\n             3.1.10. Ensures that accounts are terminated or deactivated once access is no\n             longer required.\n      No     TIGTA Comments: During FY 2013, TIGTA and the GAO identified\n             systems that do not have controls in place to ensure that accounts are\n             terminated or deactivated once access is no longer needed.\n      Yes    3.1.11. Identifies and controls use of shared accounts.\n\n\n\n\n                                                                                        Page 9\n\x0c                   Treasury Inspector General for Tax Administration \xe2\x80\x93 Federal\n                Information Security Management Act Report for Fiscal Year 2013\n\n\n\n                               3.2. Please provide any additional information on the effectiveness of the\n                               organization\xe2\x80\x99s Identity and Access Management that was not noted in the\n                               questions above.\n\n\n4: Incident Response and Reporting\nStatus of Incident             4.1 Has the organization established an incident response and reporting program\nResponse and Reporting             that is consistent with FISMA requirements, OMB policy, and applicable\n                         Yes\nProgram [check one:                NIST guidelines? Besides the improvement opportunities that may have been\nYes or No]                         identified by the OIG, does the program include the following attributes?\xc2\xa0\n                                   4.1.1. Documented policies and procedures for detecting, responding to, and\n                         Yes\n                                   reporting incidents. (NIST SP 800-53: IR-1)\n                         Yes       4.1.2. Comprehensive analysis, validation, and documentation of incidents.\n                                   4.1.3. When applicable, reports to US-CERT within established time frames.\n                                   (NIST SP 800-53, 800-61 OMB M-07-16, M-06-19)\n                         No        TIGTA Comments: The IRS did not always report incidents involving\n                                   Personally Identifiable Information to the US-CERT within established time\n                                   frames due to resource constraints.\n                                   4.1.4. When applicable, reports to law enforcement within established time\n                         Yes\n                                   frames. (NIST SP 800-61)\n                                   4.1.5. Responds to and resolves incidents in a timely manner, as specified in\n                         Yes       organization policy or standards, to minimize further damage.\n                                   (NIST SP 800-53, 800-61; OMB M-07-16, M-06-19)\n                                   4.1.6. Is capable of tracking and managing risks in a virtual/cloud\n                         Yes\n                                   environment, if applicable.\n                         Yes       4.1.7. Is capable of correlating incidents.\n                                   4.1.8. Has sufficient incident monitoring and detection coverage in\n                         Yes       accordance with Government policies. (NIST SP 800-53, 800-61;\n                                   OMB M-07-16, M-06-19)\n                               4.2. Please provide any additional information on the effectiveness of the\n                               organization\xe2\x80\x99s Incident Management Program that was not noted in the questions\n                               above.\n\n\n5: Risk Management\nStatus of Risk                 5.1 Has the organization established a risk management program that is consistent\nManagement Program                 with FISMA requirements, OMB policy, and applicable NIST guidelines?\n                         Yes\n[check one: Yes or No]             Besides the improvement opportunities that may have been identified by the\n                                   OIG, does the program include the following attributes?\xc2\xa0\n\n\n\n\n                                                                                                            Page 10\n\x0c   Treasury Inspector General for Tax Administration \xe2\x80\x93 Federal\nInformation Security Management Act Report for Fiscal Year 2013\n\n\n\n             5.1.1. Documented policies and procedures for risk management, including\n      Yes\n             descriptions of the roles and responsibilities of participants in this process.\n             5.1.2. Addresses risk from an organization perspective with the development\n      Yes    of a comprehensive governance structure and organizationwide risk\n             management strategy as described in NIST SP 800-37, Rev.1.\n             5.1.3. Addresses risk from a mission and business process perspective and is\n      Yes    guided by the risk decisions from an organizational perspective, as described\n             in NIST SP 800-37, Rev. 1.\n             5.1.4. Addresses risk from an information system perspective and is guided by\n      Yes    the risk decisions at the organizational perspective and the mission and\n             business perspective, as described in NIST SP 800-37, Rev. 1.\n      Yes    5.1.5. Has an up-to-date system inventory.\n             5.1.6. Categorizes information systems in accordance with Government\n      Yes\n             policies.\n      Yes    5.1.7. Selects an appropriately tailored set of baseline security controls.\n             5.1.8. Implements the tailored set of baseline security controls and describes\n      Yes    how the controls are employed within the information system and its\n             environment of operation.\n             5.1.9. Assesses the security controls using appropriate assessment procedures\n             to determine the extent to which the controls are implemented correctly,\n      Yes\n             operating as intended, and producing the desired outcome with respect to\n             meeting the security requirements for the system.\n             5.1.10. Authorizes information system operation based on a determination of\n             the risk to organizational operations and assets, individuals, other\n      Yes\n             organizations, and the Nation resulting from the operation of the information\n             system and the decision that this risk is acceptable.\n             5.1.11. Ensures that information security controls are monitored on an\n             ongoing basis, including assessing control effectiveness, documenting\n      Yes    changes to the system or its environment of operation, conducting security\n             impact analyses of the associated changes, and reporting the security state of\n             the system to designated organizational officials.\n             5.1.12. Information-system-specific risks (tactical), mission/business-specific\n      Yes    risks, and organizational-level (strategic) risks are communicated to\n             appropriate levels of the organization.\n             5.1.13. Senior officials are briefed on threat activity on a regular basis by\n      Yes\n             appropriate personnel (e.g., Chief Information Security Officer).\n             5.1.14. Prescribes the active involvement of information system owners and\n             common control providers, chief information officers, senior information\n      Yes\n             security officers, authorizing officials, and other roles as applicable in the\n             ongoing management of information-system-related security risks.\n\n\n                                                                                     Page 11\n\x0c                   Treasury Inspector General for Tax Administration \xe2\x80\x93 Federal\n                Information Security Management Act Report for Fiscal Year 2013\n\n\n\n\n                                   5.1.15. Security authorization package contains system security plan, security\n                         Yes       assessment report, and POA&M in accordance with Government policies.\n                                   (NIST SP 800-18, 800-37)\n                                   5.1.16. Security authorization package contains accreditation boundaries,\n                         Yes       defined in accordance with Government policies, for organization information\n                                   systems.\n                               5.2. Please provide any additional information on the effectiveness of the\n                               organization\xe2\x80\x99s Risk Management Program that was not noted in the questions\n                               above.\n\n\n6: Security Training\nStatus of Security             6.1 Has the organization established a security training management program that\nTraining Program                   is consistent with FISMA requirements, OMB policy, and applicable NIST\n                         Yes\n[check one: Yes or No]             guidelines? Besides the improvement opportunities that may have been\n                                   identified by the OIG, does the program include the following attributes?\xc2\xa0\n                                   6.1.1. Documented policies and procedures for security awareness training.\n                         Yes\n                                   (NIST SP 800-53: AT-1)\n                                   6.1.2. Documented policies and procedures for specialized training for users\n                         Yes\n                                   with significant information security responsibilities.\n                                   6.1.3. Security training content based on the organization and roles, as\n                         Yes\n                                   specified in organization policy or standards.\n                                   6.1.4. Identification and tracking of the status of security awareness training\n                         Yes       for all personnel (including employees, contractors, and other organization\n                                   users) with access privileges that require security awareness training.\n                                   6.1.5. Identification and tracking of the status of specialized training for all\n                                   personnel (including employees, contractors, and other organization users)\n                                   with significant information security responsibilities that require specialized\n                         No        training.\n                                   TIGTA Comments: The IRS did not track completions of specialized\n                                   information technology security training by contractors during the FY 2013\n                                   FISMA evaluation period.\n                                   6.1.6. Training material for security awareness training contains appropriate\n                         Yes\n                                   content for the organization. (NIST SP 800-50, 800-53)\n                               6.2. Please provide any additional information on the effectiveness of the\n                               organization\xe2\x80\x99s Security Training Program that was not noted in the questions\n                               above.\n\n\n\n\n                                                                                                           Page 12\n\x0c                  Treasury Inspector General for Tax Administration \xe2\x80\x93 Federal\n               Information Security Management Act Report for Fiscal Year 2013\n\n\n\n7: POA&M\nStatus of POA&M             7.1 Has the organization established a POA&M program that is consistent with\nProgram [check one:             FISMA requirements, OMB policy, and applicable NIST guidelines and\nYes or No]            Yes       tracks and monitors known information security weaknesses? Besides the\n                                improvement opportunities that may have been identified by the OIG, does\n                                the program include the following attributes?\xc2\xa0\n                                7.1.1. Documented policies and procedures for managing IT security\n                      Yes       weaknesses discovered during security control assessments and that require\n                                remediation.\n                      Yes       7.1.2. Tracks, prioritizes, and remediates weaknesses.\n                      Yes       7.1.3. Ensures that remediation plans are effective for correcting weaknesses.\n                      Yes       7.1.4. Establishes and adheres to milestone remediation dates.\n                                7.1.5. Ensures that resources and ownership are provided for correcting\n                      Yes\n                                weaknesses.\n                                7.1.6. POA&Ms include security weaknesses discovered during assessments\n                                of security controls and that require remediation (do not need to include\n                      Yes\n                                security weaknesses due to a risk-based decision to not implement a security\n                                control). (OMB M-04-25)\n                                7.1.7. Costs associated with remediating weaknesses are identified.\n                      Yes\n                                (NIST SP 800-53: PM-3; OMB M-04-25)\n                                7.1.8. Program officials report progress on remediation to the CIO on a\n                                regular basis, at least quarterly, and the CIO centrally tracks, maintains, and\n                      Yes\n                                independently reviews/validates the POA&M activities at least quarterly.\n                                (NIST SP 800-53: CA-5; OMB M-04-25)\n                            7.2. Please provide any additional information on the effectiveness of the\n                            organization\xe2\x80\x99s POA&M Program that was not noted in the questions above.\n\n\n8: Remote Access Management\nStatus of Remote            8.1 Has the organization established a remote access program that is consistent\nAccess Management               with FISMA requirements, OMB policy, and applicable NIST guidelines?\n                      Yes\nProgram [check one:             Besides the improvement opportunities that may have been identified by the\nYes or No]                      OIG, does the program include the following attributes?\xc2\xa0\n                                8.1.1. Documented policies and procedures for authorizing, monitoring, and\n                      Yes\n                                controlling all methods of remote access. (NIST SP 800-53: AC-1, AC-17)\n                                8.1.2. Protects against unauthorized connections or subversion of authorized\n                      Yes\n                                connections.\n\n\n\n\n                                                                                                       Page 13\n\x0c                   Treasury Inspector General for Tax Administration \xe2\x80\x93 Federal\n                Information Security Management Act Report for Fiscal Year 2013\n\n\n\n                                   8.1.3. Users are uniquely identified and authenticated for all access.\n                                   (NIST SP 800-46, Section 4.2, Section 5.1)\n                                   TIGTA Comments: System administrators of the virtual private network\n                         No        infrastructure and server components do not use NIST-compliant multifactor\n                                   authentication for local or network access to privileged accounts. In addition,\n                                   virtual private network server components do not comply with password\n                                   requirements.\n                                   8.1.4. Telecommuting policy is fully developed. (NIST SP 800-46, Section\n                         Yes\n                                   5.1)\n                                   8.1.5. If applicable, multifactor authentication is required for remote access.\n                         Yes\n                                   (NIST SP 800-46, Section 2.2, Section 3.3)\n                                   8.1.6. Authentication mechanisms meet NIST SP 800-63 guidance on remote\n                         Yes\n                                   electronic authentication, including strength mechanisms.\n                                   8.1.7. Defines and implements encryption requirements for information\n                         Yes\n                                   transmitted across public networks.\n                                   8.1.8. Remote access sessions, in accordance to OMB M-07-16, are timed-out\n                         Yes\n                                   after 30 minutes of inactivity, after which re-authentication is required.\n                                   8.1.9. Lost or stolen devices are disabled and appropriately reported.\n                         Yes\n                                   (NIST SP 800-46, Section 4.3; US-CERT Incident Reporting Guidelines)\n                                   8.1.10. Remote access rules of behavior are adequate in accordance with\n                         Yes\n                                   Government policies. (NIST SP 800-53: PL-4)\n                                   8.1.11. Remote access user agreements are adequate in accordance with\n                         Yes\n                                   Government policies. (NIST SP 800-46, Section 5.1; NIST SP 800-53: PS-6)\n                               8.2. Please provide any additional information on the effectiveness of the\n                               organization\xe2\x80\x99s Remote Access Management that was not noted in the questions\n                               above.\n                               8.3. Does the organization have a policy to detect and remove unauthorized\n                         Yes\n                               (rogue) connections?\n\n\n9: Contingency Planning\nStatus of Contingency          9.1 Has the organization established an enterprisewide business\nPlanning Program                   continuity/disaster recovery program that is consistent with FISMA\n[check one: Yes or No]   Yes       requirements, OMB policy, and applicable NIST guidelines? Besides the\n                                   improvement opportunities that may have been identified by the OIG, does\n                                   the program include the following attributes?\xc2\xa0\n                                   9.1.1. Documented business continuity and disaster recovery policy providing\n                         Yes       the authority and guidance necessary to reduce the impact of a disruptive\n                                   event or disaster. (NIST SP 800-53: CP-1)\n\n\n\n                                                                                                            Page 14\n\x0c                   Treasury Inspector General for Tax Administration \xe2\x80\x93 Federal\n                Information Security Management Act Report for Fiscal Year 2013\n\n\n\n                                 9.1.2. The organization has incorporated the results of its system\xe2\x80\x99s Business\n                                 Impact analysis into the analysis and strategy development efforts for the\n                       Yes\n                                 organization\xe2\x80\x99s Continuity of Operations Plan, Business Continuity Plan, and\n                                 Disaster Recovery Plan. (NIST SP 800-34)\n                                 9.1.3. Development and documentation of division, component, and IT\n                       Yes\n                                 infrastructure recovery strategies, plans, and procedures. (NIST SP 800-34)\n                       Yes       9.1.4. Testing of system-specific contingency plans.\n                                 9.1.5. The documented business continuity and disaster recovery plans are in\n                       Yes\n                                 place and can be implemented when necessary. (FCD1, NIST SP 800-34)\n                                 9.1.6. Development of test, training, and exercises programs. (FCD1, NIST\n                       Yes\n                                 SP 800-34, NIST SP 800-53)\n                                 9.1.7. Testing or exercising of business continuity and disaster recovery plans\n                       Yes\n                                 to determine effectiveness and to maintain current plans.\n                                 9.1.8. After-action report that addresses issues identified during\n                       Yes\n                                 contingency/disaster recovery exercises. (FDC1, NIST SP 800-34)\n                                 9.1.9. Systems that have alternate processing sites. (FCD1, NIST SP 800-34,\n                       Yes\n                                 NIST SP 800-53)\n                                 9.1.10. Alternate processing sites are not subject to the same risks as primary\n                       Yes\n                                 sites. (FCD1, NIST SP 800-34, NIST SP 800-53)\n                                 9.1.11. Backups of information that are performed in a timely manner.\n                       Yes\n                                 (FCD1, NIST SP 800-34, NIST SP 800-53)\n                       Yes       9.1.12. Contingency planning that considers supply chain threats.\n                             9.2. Please provide any additional information on the effectiveness of the\n                             organization\xe2\x80\x99s Contingency Planning that was not noted in the questions above.\n\n\n10: Contractor Systems\nStatus of Contractor         10.1 Has the organization established a program to oversee systems operated on\nSystems [check one:              its behalf by contractors or other entities, including organization systems and\nYes or No]             Yes       services residing in the cloud external to the organization? Besides the\n                                 improvement opportunities that may have been identified by the OIG, does\n                                 the program include the following attributes?\xc2\xa0\n                                 10.1.1. Documented policies and procedures for information security\n                                 oversight of systems operated on the organization\xe2\x80\x99s behalf by contractors or\n                       Yes\n                                 other entities, including organization systems and services residing in a public\n                                 cloud.\n                                 10.1.2. The organization obtains sufficient assurance that security controls of\n                       Yes       such systems and services are effectively implemented and comply with\n                                 Federal and organization guidelines. (NIST SP 800-53: CA-2)\n\n\n                                                                                                       Page 15\n\x0c                   Treasury Inspector General for Tax Administration \xe2\x80\x93 Federal\n                Information Security Management Act Report for Fiscal Year 2013\n\n\n\n\n                                    10.1.3. A complete inventory of systems operated on the organization\xe2\x80\x99s behalf\n                                    by contractors or other entities, including organization systems and services\n                                    residing in a public cloud.\n                                    TIGTA Comments: In FY 2013, the IRS maintained two contractor managed\n                                    systems in the Trusted Agent FISMA, the U.S. Department of the Treasury\xe2\x80\x99s\n                          Yes       system for reporting FISMA data. The IRS also maintained a list of 130\n                                    contractor sites in FY 2013 that required annual security reviews because\n                                    each handles or processes IRS information. The IRS Infrastructure and\n                                    Security Review organization conducts reviews to ensure that security\n                                    controls and standards are met and issues reports of findings to these\n                                    contractors.\n                                    10.1.4. The inventory identifies interfaces between these systems and\n                          Yes\n                                    organization-operated systems. (NIST SP 800-53: PM-5)\n                                    10.1.5. The organization requires appropriate agreements (e.g.,\n                                    Memorandums of Understanding, Interconnection Security Agreements,\n                          Yes\n                                    contracts) for interfaces between these systems and those that it owns and\n                                    operates.\n                          Yes       10.1.6. The inventory of contractor systems is updated at least annually.\n                                    10.1.7. Systems that are owned or operated by contractors or entities,\n                                    including organization systems and services residing in a public cloud, are\n                          Yes\n                                    compliant with FISMA requirements, OMB policy, and applicable NIST\n                                    guidelines.\n                                10.2. Please provide any additional information on the effectiveness of the\n                                organization\xe2\x80\x99s Contractor Systems that was not noted in the questions above.\n\n\n11: Security Capital Planning\nStatus of Security              11.1 . Has the organization established a security capital planning and investment\nCapital Planning [check              program for information security? Besides the improvement opportunities\n                          Yes\none: Yes or No]                      that may have been identified by the OIG, does the program include the\n                                     following attributes?\xc2\xa0\n                                    11.1.1. Documented policies and procedures to address information security\n                          Yes\n                                    in the capital planning and investment control process.\n                                    11.1.2. Includes information security requirements as part of the capital\n                          Yes\n                                    planning and investment process.\n                                    11.1.3. Establishes a discrete line item for information security in\n                          Yes\n                                    organizational programming and documentation. (NIST SP 800-53: SA-2)\n                                    11.1.4. Employs a business case/Exhibit 300/Exhibit 53 to record the\n                          Yes\n                                    information security resources required. (NIST SP 800-53: PM-3)\n\n\n                                                                                                          Page 16\n\x0c   Treasury Inspector General for Tax Administration \xe2\x80\x93 Federal\nInformation Security Management Act Report for Fiscal Year 2013\n\n\n\n\n                11.1.5. Ensures that information security resources are available for\n      Yes\n                expenditure as planned.\n            11.2. Please provide any additional information on the effectiveness of the\n            organization\xe2\x80\x99s Security Capital Planning that was not noted in the questions\n            above.\n\n\n\n\n                                                                                        Page 17\n\x0c                       Treasury Inspector General for Tax Administration \xe2\x80\x93 Federal\n                    Information Security Management Act Report for Fiscal Year 2013\n\n\n\n                                                                                                      Appendix I\n\n\n             Detailed Objective, Scope, and Methodology\n\nOur overall objective was to provide an annual independent evaluation of the effectiveness of the\nIRS\xe2\x80\x99s information technology security program and practices, and to assess the progress made by\nthe IRS in meeting the responsibilities established by the NIST and the OMB. The following\n11 evaluative sections are taken directly from the DHS FY 2013 Inspector General Federal\nInformation Security Management Act Reporting Metrics, issued on November 30, 2012.\n       1.    Continuous Monitoring Management.\n       2.    Configuration Management.\n       3.    Identity and Access Management.\n       4.    Incident Response and Reporting.\n       5.    Risk Management.\n       6.    Security Training.\n       7.    Plan of Action and Milestones.\n       8.    Remote Access Management.\n       9.    Contingency Planning.\n       10.   Contractor Systems.\n       11.   Security Capital Planning.\nTo accomplish our objective, we reviewed a judgmental sample1 of 10 major IRS information\nsystems from a total of 75 major applications maintained in the Trusted Agent FISMA system as\nof April 11, 2013. We selected a judgmental sample because we did not plan to project the\nresults. We conducted tests to determine the appropriate level of performance that the IRS has\nachieved for each of the security program areas. We also evaluated completed TIGTA work\nduring the FISMA period, as well as audits from the GAO, and determined its applicability to the\nFISMA questions.\nBased on our evaluative work, we indicated with a yes or no whether the IRS had achieved a\nsatisfactory level of performance for each security program area as well as each specific attribute\nlisted in the DHS FY 2013 Inspector General Federal Information Security Management Act\nReporting Metrics. The Department of the Treasury Office of Inspector General will combine\n\n\n\n1\n    A judgmental sample is a nonstatistical sample, the results of which cannot be used to project to the population.\n                                                                                                               Page 18\n\x0c                 Treasury Inspector General for Tax Administration \xe2\x80\x93 Federal\n              Information Security Management Act Report for Fiscal Year 2013\n\n\n\nour results for the IRS with its results for the non-IRS bureaus and submit the combined yes or\nno responses to OMB.\n\n\n\n\n                                                                                         Page 19\n\x0c                Treasury Inspector General for Tax Administration \xe2\x80\x93 Federal\n             Information Security Management Act Report for Fiscal Year 2013\n\n\n\n                                                                              Appendix II\n\n                 Major Contributors to This Report\n\nAlan R. Duncan, Assistant Inspector General for Audit (Security and Information Technology\nServices)\nKent Sagara, Director\nJody Kitazono, Audit Manager\nMidori Ohno, Lead Auditor\nCharles Ekunwe, Senior Auditor\nBret Hunter, Senior Auditor\nMary Jankowski, Senior Auditor\nEsther Wilson, Senior Auditor\nTina Wong, Senior Auditor\n\n\n\n\n                                                                                     Page 20\n\x0c                Treasury Inspector General for Tax Administration \xe2\x80\x93 Federal\n             Information Security Management Act Report for Fiscal Year 2013\n\n\n\n                                                                    Appendix III\n\n                         Report Distribution List\n\nActing Commissioner\nOffice of the Commissioner \xe2\x80\x93 Attn: Chief of Staff C\nOffice of the Deputy Commissioner for Services and Enforcement SE\nDeputy Commissioner for Operations Support OS\nChief Technology Officer OS:CTO\nChief Counsel CC\nNational Taxpayer Advocate TA\nDirector, Office of Legislative Affairs CL:LA\nDirector, Office of Program Evaluation and Risk Analysis RAS:O\nOffice of Internal Control OS:CFO:CPIC:IC\nAudit Liaison: Director, Risk Management Division OS:CTO:SP:RM\n\n\n\n\n                                                                          Page 21\n\x0c              Treasury Inspector General for Tax Administration \xe2\x80\x93 Federal\n           Information Security Management Act Report for Fiscal Year 2013\n\n\n\n                                                                           Appendix IV\n\n Treasury Inspector General for Tax Administration\n  Information Technology Security-Related Reports\nIssued During the Fiscal Year 2013 Evaluation Period\n\n 1. TIGTA, Ref. No. 2012-20-099, Audit Trails Did Not Comply With Standards or Fully\n    Support Investigations of Unauthorized Disclosure of Taxpayer Data (Sept. 2012).\n 2. TIGTA, Ref. No. 2012-20-112, An Enterprise Approach Is Needed to Address the\n    Security Risk of Unpatched Computers (Sept. 2012).\n 3. TIGTA, Ref. No. 2012-20-109, The Customer Account Data Engine 2 Database Was\n    Initialized; However, Database and Security Risks Remain, and Initial Timeframes to\n    Provide Data to Three Downstream Systems May Not Be Met (Sept. 2012).\n 4. TIGTA, Ref. No. 2012-20-115, Using SmartID Cards to Access Computer Systems Is\n    Taking Longer Than Expected (Sept. 2012).\n 5. TIGTA, Ref. No. 2013-20-016, Significant Delays Hindered Efforts to Provide\n    Continuous Monitoring of Security Settings on Computer Workstations (Jan. 2013).\n 6. TIGTA, Ref. No. 2013-20-023, Improvements Are Needed to Ensure the Effectiveness of\n    the Privacy Impact Assessment Process (Feb. 2013).\n 7. TIGTA, Ref. No. 2013-20-030, Integrated Financial System Updates Are Improving\n    System Security, but Remaining Weaknesses Should Be Addressed (Mar. 2013).\n\n\n\n\n                                                                                   Page 22\n\x0c'